Re: [Patch 2/2] libsemanage: create a don't audit flag

Stephen Smalley <sds@xxxxxxxxxxxxx> · Thu, 02 Jul 2009 13:09:14 -0400

On Thu, 2009-07-02 at 11:32 -0400, Christopher Pardy wrote:
> Stephen, Josh: I think this might address all your concerns.
> Changes: No more code in libselinux, new handles have their 
> disable_dontaudit flag set to 0 upon creation (old way), 
> set_disable_dontaudit creates a file in the sandbox to make the setting 
> visible after commits.
> Justification: After turning off dontaudit rules there is currently no 
> way for the system to see that this change has been made, this creates a 
> flag file which can be used as an indicator.

Include the original patch description and then summarize changes or
incorporate into the description.

> Note: still depends on patch 1/2
> 
> Signed-off-by: Christopher Pardy <cpardy@xxxxxxxxxx>

Add "---" followed by diffstat -p1 output here.

Still getting whitespace mangled by thunderbird - need to configure it.

> diff -urpN selinux.orig2/libsemanage/src/handle.c selinux/libsemanage/src/handle.c
> 
> --- selinux.orig2/libsemanage/src/handle.c    2009-07-01 21:15:17.288238017 -0400
> 
> +++ selinux/libsemanage/src/handle.c    2009-07-02 11:29:20.740267205 -0400
> @@ -75,7 +76,12 @@ semanage_handle_t *semanage_handle_creat
> 
>       /* Set callback */
> 
>       sh->msg_callback = semanage_msg_default_handler;
> 
>       sh->msg_callback_arg = NULL;
> 
> -
> 
> +
> 
> +    /*set the flag to be deleted*/
> 
> +    char path[PATH_MAX];
> 
> +    path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)

Missing semicolon?  And you don't need to allocate a buffer, just a
const char * - semanage_fname() returns a pointer to the pathname.

> 
> +    remove(path);

Unconditional removal of the flag file whenever a handle is created?

>   void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
> 
>   {
> 
> +    char path[PATH_MAX];
> 
> +    path = semanage_fname(SEMANAGE_DISABLE_DONTAUDIT)

Same issue here.

> 
> +        if(disable_dontaudit(sh) == 1){

What is this?

> 
> +            FILE *touch;
> 
> +            touch = fopen(path,"w");
> 
> +            fclose(touch);
> 
> +        }else
> 
> +            remove(path);
> 
>       return;
> 
>   }

-- 
Stephen Smalley
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.